Apache HTTP Server Version 2.0
This document refers to the 2.0 version of Apache httpd, which is no longer maintained. Upgrade, and refer to the current version of httpd instead, documented at:
You may follow this link to go to the current version of this document.
All PCs are compatible. But some of them are more compatible than others.
-- Unknown
Here we talk about backward compatibility to other SSL solutions. As you perhaps know, mod_ssl is not the only existing SSL solution for Apache. Actually there are four additional major products available on the market: Ben Laurie's freely available Apache-SSL (from where mod_ssl were originally derived in 1998), Red Hat's commercial Secure Web Server (which is based on mod_ssl), Covalent's commercial Raven SSL Module (also based on mod_ssl) and finally C2Net's commercial product Stronghold (based on a different evolution branch named Sioux up to Stronghold 2.x and based on mod_ssl since Stronghold 3.x).
The idea in mod_ssl is mainly the following: because mod_ssl provides mostly a superset of the functionality of all other solutions we can easily provide backward compatibility for most of the cases. Actually there are three compatibility areas we currently address: configuration directives, environment variables and custom log functions.
For backward compatibility to the configuration directives of other SSL solutions we do an on-the-fly mapping: directives which have a direct counterpart in mod_ssl are mapped silently while other directives lead to a warning message in the logfiles. The currently implemented directive mapping is listed in Table 1. Currently full backward compatibility is provided only for Apache-SSL 1.x and mod_ssl 2.0.x. Compatibility to Sioux 1.x and Stronghold 2.x is only partial because of special functionality in these interfaces which mod_ssl (still) doesn't provide.
Old Directive | mod_ssl Directive | Comment |
---|---|---|
Apache-SSL 1.x & mod_ssl 2.0.x compatibility: | ||
SSLEnable |
SSLEngine on |
compactified |
SSLDisable |
SSLEngine off |
compactified |
SSLLogFile file |
SSLLog file |
compactified |
SSLRequiredCiphers spec |
SSLCipherSuite spec |
renamed |
SSLRequireCipher c1 ... |
SSLRequire %{SSL_CIPHER} in {" c1",
...} |
generalized |
SSLBanCipher c1 ... |
SSLRequire not (%{SSL_CIPHER} in {" c1",
...}) |
generalized |
SSLFakeBasicAuth |
SSLOptions +FakeBasicAuth |
merged |
SSLCacheServerPath dir |
- | functionality removed |
SSLCacheServerPort integer |
- | functionality removed |
Apache-SSL 1.x compatibility: | ||
SSLExportClientCertificates |
SSLOptions +ExportCertData |
merged |
SSLCacheServerRunDir dir |
- | functionality not supported |
Sioux 1.x compatibility: | ||
SSL_CertFile file |
SSLCertificateFile file |
renamed |
SSL_KeyFile file |
SSLCertificateKeyFile file |
renamed |
SSL_CipherSuite arg |
SSLCipherSuite arg |
renamed |
SSL_X509VerifyDir arg |
SSLCACertificatePath arg |
renamed |
SSL_Log file |
SSLLogFile file |
renamed |
SSL_Connect flag |
SSLEngine flag |
renamed |
SSL_ClientAuth arg |
SSLVerifyClient arg |
renamed |
SSL_X509VerifyDepth arg |
SSLVerifyDepth arg |
renamed |
SSL_FetchKeyPhraseFrom arg |
- | not directly mappable; use SSLPassPhraseDialog |
SSL_SessionDir dir |
- | not directly mappable; use SSLSessionCache |
SSL_Require expr |
- | not directly mappable; use SSLRequire |
SSL_CertFileType arg |
- | functionality not supported |
SSL_KeyFileType arg |
- | functionality not supported |
SSL_X509VerifyPolicy arg |
- | functionality not supported |
SSL_LogX509Attributes arg |
- | functionality not supported |
Stronghold 2.x compatibility: | ||
StrongholdAccelerator dir |
- | functionality not supported |
StrongholdKey dir |
- | functionality not supported |
StrongholdLicenseFile dir |
- | functionality not supported |
SSLFlag flag |
SSLEngine flag |
renamed |
SSLSessionLockFile file |
SSLMutex file |
renamed |
SSLCipherList spec |
SSLCipherSuite spec |
renamed |
RequireSSL |
SSLRequireSSL |
renamed |
SSLErrorFile file |
- | functionality not supported |
SSLRoot dir |
- | functionality not supported |
SSL_CertificateLogDir dir |
- | functionality not supported |
AuthCertDir dir |
- | functionality not supported |
SSL_Group name |
- | functionality not supported |
SSLProxyMachineCertPath dir |
- | functionality not supported |
SSLProxyMachineCertFile file |
- | functionality not supported |
SSLProxyCACertificatePath dir |
- | functionality not supported |
SSLProxyCACertificateFile file |
- | functionality not supported |
SSLProxyVerifyDepth number |
- | functionality not supported |
SSLProxyCipherList spec |
- | functionality not supported |
When you use ``SSLOptions +CompatEnvVars
'' additional environment
variables are generated. They all correspond to existing official mod_ssl
variables. The currently implemented variable derivation is listed in Table 2.
Old Variable | mod_ssl Variable | Comment |
---|---|---|
SSL_PROTOCOL_VERSION |
SSL_PROTOCOL |
renamed |
SSLEAY_VERSION |
SSL_VERSION_LIBRARY |
renamed |
HTTPS_SECRETKEYSIZE |
SSL_CIPHER_USEKEYSIZE |
renamed |
HTTPS_KEYSIZE |
SSL_CIPHER_ALGKEYSIZE |
renamed |
HTTPS_CIPHER |
SSL_CIPHER |
renamed |
HTTPS_EXPORT |
SSL_CIPHER_EXPORT |
renamed |
SSL_SERVER_KEY_SIZE |
SSL_CIPHER_ALGKEYSIZE |
renamed |
SSL_SERVER_CERTIFICATE |
SSL_SERVER_CERT |
renamed |
SSL_SERVER_CERT_START |
SSL_SERVER_V_START |
renamed |
SSL_SERVER_CERT_END |
SSL_SERVER_V_END |
renamed |
SSL_SERVER_CERT_SERIAL |
SSL_SERVER_M_SERIAL |
renamed |
SSL_SERVER_SIGNATURE_ALGORITHM |
SSL_SERVER_A_SIG |
renamed |
SSL_SERVER_DN |
SSL_SERVER_S_DN |
renamed |
SSL_SERVER_CN |
SSL_SERVER_S_DN_CN |
renamed |
SSL_SERVER_EMAIL |
SSL_SERVER_S_DN_Email |
renamed |
SSL_SERVER_O |
SSL_SERVER_S_DN_O |
renamed |
SSL_SERVER_OU |
SSL_SERVER_S_DN_OU |
renamed |
SSL_SERVER_C |
SSL_SERVER_S_DN_C |
renamed |
SSL_SERVER_SP |
SSL_SERVER_S_DN_SP |
renamed |
SSL_SERVER_L |
SSL_SERVER_S_DN_L |
renamed |
SSL_SERVER_IDN |
SSL_SERVER_I_DN |
renamed |
SSL_SERVER_ICN |
SSL_SERVER_I_DN_CN |
renamed |
SSL_SERVER_IEMAIL |
SSL_SERVER_I_DN_Email |
renamed |
SSL_SERVER_IO |
SSL_SERVER_I_DN_O |
renamed |
SSL_SERVER_IOU |
SSL_SERVER_I_DN_OU |
renamed |
SSL_SERVER_IC |
SSL_SERVER_I_DN_C |
renamed |
SSL_SERVER_ISP |
SSL_SERVER_I_DN_SP |
renamed |
SSL_SERVER_IL |
SSL_SERVER_I_DN_L |
renamed |
SSL_CLIENT_CERTIFICATE |
SSL_CLIENT_CERT |
renamed |
SSL_CLIENT_CERT_START |
SSL_CLIENT_V_START |
renamed |
SSL_CLIENT_CERT_END |
SSL_CLIENT_V_END |
renamed |
SSL_CLIENT_CERT_SERIAL |
SSL_CLIENT_M_SERIAL |
renamed |
SSL_CLIENT_SIGNATURE_ALGORITHM |
SSL_CLIENT_A_SIG |
renamed |
SSL_CLIENT_DN |
SSL_CLIENT_S_DN |
renamed |
SSL_CLIENT_CN |
SSL_CLIENT_S_DN_CN |
renamed |
SSL_CLIENT_EMAIL |
SSL_CLIENT_S_DN_Email |
renamed |
SSL_CLIENT_O |
SSL_CLIENT_S_DN_O |
renamed |
SSL_CLIENT_OU |
SSL_CLIENT_S_DN_OU |
renamed |
SSL_CLIENT_C |
SSL_CLIENT_S_DN_C |
renamed |
SSL_CLIENT_SP |
SSL_CLIENT_S_DN_SP |
renamed |
SSL_CLIENT_L |
SSL_CLIENT_S_DN_L |
renamed |
SSL_CLIENT_IDN |
SSL_CLIENT_I_DN |
renamed |
SSL_CLIENT_ICN |
SSL_CLIENT_I_DN_CN |
renamed |
SSL_CLIENT_IEMAIL |
SSL_CLIENT_I_DN_Email |
renamed |
SSL_CLIENT_IO |
SSL_CLIENT_I_DN_O |
renamed |
SSL_CLIENT_IOU |
SSL_CLIENT_I_DN_OU |
renamed |
SSL_CLIENT_IC |
SSL_CLIENT_I_DN_C |
renamed |
SSL_CLIENT_ISP |
SSL_CLIENT_I_DN_SP |
renamed |
SSL_CLIENT_IL |
SSL_CLIENT_I_DN_L |
renamed |
SSL_EXPORT |
SSL_CIPHER_EXPORT |
renamed |
SSL_KEYSIZE |
SSL_CIPHER_ALGKEYSIZE |
renamed |
SSL_SECKEYSIZE |
SSL_CIPHER_USEKEYSIZE |
renamed |
SSL_SSLEAY_VERSION |
SSL_VERSION_LIBRARY |
renamed |
SSL_STRONG_CRYPTO |
- |
Not supported by mod_ssl |
SSL_SERVER_KEY_EXP |
- |
Not supported by mod_ssl |
SSL_SERVER_KEY_ALGORITHM |
- |
Not supported by mod_ssl |
SSL_SERVER_KEY_SIZE |
- |
Not supported by mod_ssl |
SSL_SERVER_SESSIONDIR |
- |
Not supported by mod_ssl |
SSL_SERVER_CERTIFICATELOGDIR |
- |
Not supported by mod_ssl |
SSL_SERVER_CERTFILE |
- |
Not supported by mod_ssl |
SSL_SERVER_KEYFILE |
- |
Not supported by mod_ssl |
SSL_SERVER_KEYFILETYPE |
- |
Not supported by mod_ssl |
SSL_CLIENT_KEY_EXP |
- |
Not supported by mod_ssl |
SSL_CLIENT_KEY_ALGORITHM |
- |
Not supported by mod_ssl |
SSL_CLIENT_KEY_SIZE |
- |
Not supported by mod_ssl |
When mod_ssl is built into Apache or at least loaded (under DSO situation)
additional functions exist for the Custom Log Format of
mod_log_config
as documented in the Reference
Chapter. Beside the ``%{
varname}x
''
eXtension format function which can be used to expand any variables provided
by any module, an additional Cryptography
``%{
name}c
'' cryptography format function
exists for backward compatibility. The currently implemented function calls
are listed in Table 3.
Function Call | Description |
---|---|
%...{version}c |
SSL protocol version |
%...{cipher}c |
SSL cipher |
%...{subjectdn}c |
Client Certificate Subject Distinguished Name |
%...{issuerdn}c |
Client Certificate Issuer Distinguished Name |
%...{errcode}c |
Certificate Verification Error (numerical) |
%...{errstr}c |
Certificate Verification Error (string) |